Water utility hacked using involved SQL injection and phishing
Water utility hacked and the chemical mix changed for tap supplies. Hackers infiltrated the water utility’s control system and changed the levels of chemicals being used to treat tap water.
The cyber-attack is documented in this month’s IT security breach report from Verizon Security Solutions. The utility in question is referred to using a pseudonym, Kemuri Water Company, and its location was not revealed.
A “hacktivist” group with ties to Syria compromised “Kemuri Water” Company’s computers after exploiting unpatched web vulnerabilities in its internet-facing customer payment portal, it is reported.
The hack – which involved SQL injection and phishing – exposed KWC’s ageing AS/400-based operational control system because login credentials for the AS/400 were stored on the front-end web server. This system, which was connected to the internet, managed programmable logic controllers (PLCs) that regulated valves and ducts that controlled the flow of water and chemicals used to treat it through the system. Many critical IT and operational technology functions ran on a single AS400 system, a team of computer forensic experts from Verizon subsequently concluded.
Using the same credentials found on the payment app webserver, the threat actors were able to interface with the water district’s valve and flow control application, also running on the AS400 system.
During these connections, the threat actors modified application settings with little apparent knowledge of how the flow control system worked. Fortunately, based on alert functionality, KWC was able to quickly identify and reverse the chemical and flow changes, largely minimizing the impact on customers. No clear motive for the attack was found.
Verizon’s RISK Team uncovered evidence that the hacktivists had manipulated the valves controlling the flow of chemicals twice. Luckily, it seems the activists lacked either the knowledge of SCADA systems or the intent to do any harm.
The same hack also resulted in the exposure of personal information of the utility’s 2.5 million customers. There’s no evidence that this has been monetized or used to commit fraud. Infrastructure systems are being targeted because they are generally under-resourced or believed to be out of band or not connected to the internet. Organizations must leverage this information to collectively raise the bar in security to better detect, prevent and respond to advanced attacks. Working collectively is our best route to getting ahead of attackers.
Recently hackers caused “serious damage” after breaching a German steel mill and wrecking one of its blast furnaces, according to a German government agency. Hackers got into production systems after tricking victims with spear phishing emails, said the agency.